CTF Challenge #9: Phish or Legit? 10 Emails Your Staff Must Learn to Spot

Difficulty: Beginner | Reading time: 10 minutes | Product tie-in: Employee Security Awareness Training Kit for SMBs ($67)

TL;DR

  • Phishing is the starting point in over 80% of successful breaches [1]
  • This challenge presents 10 realistic email scenarios — your job is to classify each as phishing or legitimate
  • Share this with your team: the better they score, the lower your breach risk
  • The lil.business Security Awareness Training Kit gives you a complete employee training program to build this skill across your whole organisation

Why Phishing Still Works

Modern phishing attacks do not look like Nigerian prince emails. They look like:

  • A legitimate Microsoft 365 login page
  • An invoice from a vendor you actually use
  • A password reset from your CEO
  • An ATO tax refund notification
  • A DocuSign request for a "contract update"

The reason they work: humans are optimistic, busy, and trained to respond quickly. The reason training works: recognising the patterns reduces click rates by 60–80% [2].

Use this challenge as a team exercise. Share it at your next all-hands. The discussion after is where the learning happens.

The Challenge: Phish or Legit?

For each email scenario, decide: Phishing, Legitimate, or Suspicious (needs verification before acting).

Email 1

From: [email protected]
Subject: Your Microsoft 365 account will be suspended in 24 hours
Body: "We have detected unusual activity on your Microsoft 365 account. To avoid suspension, please verify your identity immediately using the link below. Failure to act within 24 hours will result in account deactivation."
Link: https://microsoft-accounts.net/verify/login

Email 2

From: [email protected]
Subject: Invoice XRO-2026-4821 is ready for payment
Body: "Hi [Your Name], Your invoice for March is ready. Login to your Xero account to view and approve payment. This invoice is due in 14 days."
Link: https://go.xero.com/invoices/XRO-2026-4821

Email 3

From: [email protected]
Subject: Urgent - Please process this wire transfer today
Body: "Hi [Finance Team], I'm in a meeting all day and need you to process an urgent payment to a new supplier. Details below. Please don't call me - just confirm via email when done. Amount: $18,500 AUD. Account: [bank details]"

(Note: Sarah is your CEO. You received this at 11 PM.)

Email 4

From: [email protected]
Subject: Tax refund: $1,847.00 is ready to be claimed
Body: "The Australian Tax Office has processed your tax return and identified a refund of $1,847.00. To receive your refund, click below to confirm your bank details. This offer expires in 48 hours."
Link: https://ato-refunds.com.au/claim/R28471

Email 5

From: [email protected]
Subject: Critical: Your password expires today
Body: "Your company password expires today. Please click the link below to reset your password immediately to maintain access to all company systems."
Link: https://yourcompany-helpdesk.com/password-reset

Email 6

From: [email protected]
Subject: Your parcel 7G82-AU-9041 could not be delivered
Body: "We attempted delivery of your parcel but no one was home. To reschedule delivery or arrange collection, please confirm your delivery address and pay the $3.50 customs fee."
Link: https://auspost.com.au/parcels/reschedule (shortened URL that resolves to a different domain)

Email 7

From: [email protected]
Subject: Notice of legal action — File #AU-2026-18421
Body: "This notice is to inform you that Bluestream Partners has initiated legal proceedings against [Your Business Name] for unpaid services totalling $42,000. You have 5 business days to respond before we file with the court. Documents attached."
Attachment: Notice_AU-2026-18421.docx (a Word file with macros)

Email 8

From: [email protected]
Subject: Someone tried to sign in to your LinkedIn account
Body: "We noticed a sign-in attempt to your account from a new location (Melbourne, Australia). If this was not you, secure your account immediately."
Link: https://www.linkedin.com/uas/login?session_redirect=...

(You checked: the link goes to the real linkedin.com domain. You did not attempt to sign in from Melbourne.)

Email 9

From: [email protected]
Subject: Direct debit banking details update required
Body: "As part of our annual banking refresh, all staff need to re-confirm their bank details for payroll processing. Please click the secure form below and enter your BSB and account number by Friday."
Link: https://forms.yourcompany.com.au/payroll-update

(Note: You have never seen a request like this before. You didn't receive any communication about a banking system update.)

Email 10

From: [email protected]
Subject: Payment failed — Your account may be suspended
Body: "We were unable to process your most recent payment. Please update your payment information to avoid service interruption."
Link: https://dash.cloudflare.com/billing

(Note: You do use Cloudflare. The link goes to the real cloudflare.com domain.)

The Answers

Email 1: PHISHING

Red flag: microsoft-accounts.net — Microsoft uses microsoft.com. Any domain variation is a spoofing attempt. Urgency + suspension threat + non-Microsoft domain = textbook phishing.

Email 2: LEGITIMATE (with caution)

xero.com is the legitimate Xero domain. go.xero.com is a real Xero subdomain used for invoice links. If you use Xero and the invoice number is plausible, this is likely legitimate. Still worth logging in independently to check rather than clicking the email link.

Email 3: PHISHING — Business Email Compromise (BEC)

This is BEC. The patterns: CEO impersonation + urgent financial request + "don't call me" + after-hours timing + new payee. This is the most financially damaging attack type — Australian SMBs lose millions annually to BEC [3]. Always verify financial requests via a phone call to a number you already have on file. Never use contact details in the email.

Email 4: PHISHING

The ATO never sends refund emails asking you to confirm bank details. The ATO processes refunds to your nominated account on file. The domain ato-refunds.com.au is not a real ATO domain — the ATO uses ato.gov.au exclusively. The 48-hour urgency is a pressure tactic.

Email 5: PHISHING

yourcompany-helpdesk.com is not your company domain. Legitimate IT support systems use your company's own domain or a known, established service (e.g. ServiceNow on your company domain). The request to click an external link for a password reset is a credential harvesting attack.

Email 6: SUSPICIOUS — likely phishing

The AusPost domain is real (auspost.com.au). However, the $3.50 customs fee is a known AusPost phishing pattern. AusPost never sends delivery fee payment requests via email — they use an official parcel tracking system. The shortened link resolving to a different domain is decisive: this is phishing.

Email 7: PHISHING

Legitimate legal correspondence does not arrive via email with a Word document containing macros. Macro-enabled documents are a primary malware delivery mechanism. Real legal firms serving notices use registered post or process servers for formal proceedings. The urgent timeframe + unexpected nature + macro attachment = malware delivery attempt.

Email 8: LEGITIMATE (treat as suspicious to investigate)

The link goes to the real LinkedIn domain and the email came from linkedin.com. This is likely a legitimate security notification. However, because you didn't try to sign in from Melbourne, treat it as a real security event: someone may have your password. Log in independently and change your password, and check for active sessions. Do not click the link in the email — go directly to LinkedIn.

Email 9: SUSPICIOUS — verify before acting

This is either phishing or a poorly communicated internal process. The request to enter BSB and account numbers via a form, without prior communication about a banking system change, matches a payroll diversion attack pattern. Call payroll directly to verify. If it's legitimate, there will be a simple explanation. If it's not, you've prevented a payroll fraud.

Email 10: LEGITIMATE (verify independently)

The link goes to the real Cloudflare domain and you are a Cloudflare customer. This is likely legitimate. Best practice: don't click the link in the email — open your browser and navigate to dash.cloudflare.com directly to check your billing status.

Your Score

10/10 — Excellent. You're unlikely to fall for most attacks. Share this with your team — can they match your score?

7–9/10 — Good. A couple of tricky scenarios caught you. The BEC and payroll scenarios are the most dangerous ones to miss.

4–6/10 — Average. Several gaps that an attacker would exploit. This is typical of untrained staff.

0–3/10 — High risk. Without training, this is what most phishing simulations show. This is fixable.

Why Training Is Your Highest-ROI Security Investment

Antivirus catches known malware. MFA stops credential stuffing. But a convincing BEC email sent to the right person bypasses every technical control. The human is always in the loop for financial decisions, document approvals, and access requests.

Security awareness training reduces successful phishing click rates from an industry average of 31% to under 5% within six months of regular training [2].

The lil.business Employee Security Awareness Training Kit for SMBs gives you a complete, ready-to-run training program: a 60-minute workshop deck, phishing scenario library (including the ones above), a monthly phishing simulation guide, a quick-reference card for staff, and a manager's guide for delivering training in-house without a security background.

$67 — Get the Security Awareness Training Kit

FAQ

Annual training is the minimum but provides limited protection on its own. Monthly short reinforcement (10–15 minutes: a scenario walkthrough or simulated phishing test) is more effective than a single annual session. The goal is to build a habit of scepticism, not a one-time knowledge transfer.

BEC is an attack where an adversary impersonates a trusted person — usually a CEO, finance director, or supplier — to request a fraudulent financial transfer or sensitive data. Unlike malware attacks, BEC requires no technical sophistication and bypasses most technical controls because the emails look legitimate. Australian SMBs are frequently targeted. The FBI's IC3 report listed BEC as the highest-value cybercrime category in 2024 [3].

Simulated phishing tests — followed immediately by personalised feedback and a short explanation when someone clicks — consistently outperform classroom instruction alone. The moment of failure is when the lesson is most memorable. A good training program combines periodic simulations with short reinforcement content and a clear reporting process.

References

[1] Verizon, "2025 Data Breach Investigations Report," Verizon, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[2] KnowBe4, "Phishing by Industry Benchmarking Report 2025," KnowBe4, 2025. [Online]. Available: https://www.knowbe4.com/phishing-industry-benchmarks

[3] FBI, "Internet Crime Report 2024," IC3, 2025. [Online]. Available: https://www.ic3.gov/Media/PDF/AnnualReport/2024_IC3Report.pdf

[4] ACSC, "Report a Cyber Incident," ASD, 2024. [Online]. Available: https://www.cyber.gov.au/report-and-recover/report

[5] Australian Federal Police, "Business Email Compromise," AFP, 2024. [Online]. Available: https://www.afp.gov.au/news-centre/media-release/business-email-compromise

Build a team that doesn't click. The lil.business Employee Security Awareness Training Kit for SMBs — $67, instant download.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation